Merge "ovsfw: Add a dl_type match for action=ct flows"

2016-10-20 14:21:04 +00:00 · 2016-10-20 14:21:04 +00:00 · d2b017da9b
commit d2b017da9b
parent cbb7dc0fb2 14ee32940c
1 changed files with 34 additions and 28 deletions
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@ -483,14 +483,16 @@ class OVSFirewallDriver(firewall.FirewallDriver):
                ovsfw_consts.REG_PORT,
                ovs_consts.BASE_INGRESS_TABLE),
        )
-        self._add_flow(
-            table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
-            priority=90,
-            reg_port=port.ofport,
-            ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
-            actions='ct(commit,zone=NXM_NX_REG{:d}[0..15]),normal'.format(
-                ovsfw_consts.REG_NET)
-        )
+        for ethertype in [constants.ETHERTYPE_IP, constants.ETHERTYPE_IPV6]:
+            self._add_flow(
+                table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
+                priority=90,
+                dl_type=ethertype,
+                reg_port=port.ofport,
+                ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
+                actions='ct(commit,zone=NXM_NX_REG{:d}[0..15]),normal'.format(
+                    ovsfw_consts.REG_NET)
+            )
        self._add_flow(
            table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
            priority=80,
@ -535,16 +537,18 @@ class OVSFirewallDriver(firewall.FirewallDriver):
            ct_state=ovsfw_consts.OF_STATE_NOT_ESTABLISHED,
            actions='drop'
        )
-        self._add_flow(
-            table=ovs_consts.RULES_EGRESS_TABLE,
-            priority=40,
-            reg_port=port.ofport,
-            ct_state=ovsfw_consts.OF_STATE_ESTABLISHED,
-            actions="ct(commit,zone=NXM_NX_REG{:d}[0..15],"
-                    "exec(set_field:{:s}->ct_mark))".format(
-                        ovsfw_consts.REG_NET,
-                        ovsfw_consts.CT_MARK_INVALID)
-        )
+        for ethertype in [constants.ETHERTYPE_IP, constants.ETHERTYPE_IPV6]:
+            self._add_flow(
+                table=ovs_consts.RULES_EGRESS_TABLE,
+                priority=40,
+                dl_type=ethertype,
+                reg_port=port.ofport,
+                ct_state=ovsfw_consts.OF_STATE_ESTABLISHED,
+                actions="ct(commit,zone=NXM_NX_REG{:d}[0..15],"
+                        "exec(set_field:{:s}->ct_mark))".format(
+                            ovsfw_consts.REG_NET,
+                            ovsfw_consts.CT_MARK_INVALID)
+            )

    def _initialize_ingress_ipv6_icmp(self, port):
        for icmp_type in firewall.ICMPV6_ALLOWED_TYPES:
@ -644,16 +648,18 @@ class OVSFirewallDriver(firewall.FirewallDriver):
            ct_state=ovsfw_consts.OF_STATE_NOT_ESTABLISHED,
            actions='drop'
        )
-        self._add_flow(
-            table=ovs_consts.RULES_INGRESS_TABLE,
-            priority=40,
-            reg_port=port.ofport,
-            ct_state=ovsfw_consts.OF_STATE_ESTABLISHED,
-            actions="ct(commit,zone=NXM_NX_REG{:d}[0..15],"
-                    "exec(set_field:{:s}->ct_mark))".format(
-                        ovsfw_consts.REG_NET,
-                        ovsfw_consts.CT_MARK_INVALID)
-        )
+        for ethertype in [constants.ETHERTYPE_IP, constants.ETHERTYPE_IPV6]:
+            self._add_flow(
+                table=ovs_consts.RULES_INGRESS_TABLE,
+                priority=40,
+                dl_type=ethertype,
+                reg_port=port.ofport,
+                ct_state=ovsfw_consts.OF_STATE_ESTABLISHED,
+                actions="ct(commit,zone=NXM_NX_REG{:d}[0..15],"
+                        "exec(set_field:{:s}->ct_mark))".format(
+                            ovsfw_consts.REG_NET,
+                            ovsfw_consts.CT_MARK_INVALID)
+            )

    def add_flows_from_rules(self, port):
        self._initialize_tracked_ingress(port)